Authorization Header Exposure in @hapi/wreck HTTP Client Utility
CVE-2026-44979

6.3MEDIUM

Key Information:

Vendor

Hapijs

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-44979?

The @hapi/wreck HTTP client utility, prior to version 18.1.1, contains a vulnerability where the standard credential header Proxy-Authorization is forwarded without being stripped when following a 3xx redirect to a different hostname. This behavior could lead to unintended exposure of forward-proxy credentials to untrusted hosts if redirects are enabled. The issue has been addressed in version 18.1.1, ensuring that sensitive headers are appropriately managed during redirects.

Affected Version(s)

wreck < 18.1.1

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.